Stealthier version of Linux BPFDoor malware spotted in the wild

A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications.

BPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by security researchers around 12 months ago.

The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions.

BPFDoor is designed to allow threat actors to maintain lengthy persistence on breached Linux systems and remain undetected for extended periods.

New BPFDoor version

Until 2022, the malware used RC4 encryption, bind shell and iptables for communication, while commands and filenames were hardcoded.

The newer variant analyzed by Deep Instinct features static library encryption, reverse shell communication, and all commands are sent by the C2 server.

Differences between the old and new versions (Deep Instinct)

 

By incorporating the encryption within a static library, the malware developers achieve better stealth and obfuscation, as the reliance on external libraries like one featuring the RC4 cipher algorithm is removed.

The main advantage of the reverse shell against the bind shell is that the former establishes a connection from the infected host to the threat actor's command and control servers, allowing communication to the attackers' servers even when a firewall protects the network.

Finally, removing hardcoded commands makes it less likely for anti-virus software to detect the malware using static analysis like signature-based detection. It theoretically also gives it more flexibility, supporting a more diverse command set.

Deep Instinct reports that the latest version of BPFDoor is not flagged as malicious by any available AV engines on VirusTotal, despite its first submission on the platform dating February 2023.

Operation logic

Upon first execution, BPFDoor creates and locks a runtime file at "/var/run/initd.lock," and then forks itself to run as a child process, and finally sets itself to ignore various OS signals that could interrupt it.

OS signals the malware is set to ignore (Deep Instinct)

 

Next, the malware allocates a memory buffer and creates a packet sniffing socket that it'll use for monitoring incoming traffic for a "magic" byte sequence ("\x44\x30\xCD\x9F\x5E\x14\x27\x66").

Looking for the magic byte sequence (Deep Instinct)

 

At this stage, BPFDoor attaches a Berkley Packet Filter to the socket to read only UDP, TCP, and SCTP traffic through ports 22 (ssh), 80 (HTTP), and 443 (HTTPS).

Any firewall restrictions present on the breached machine won't impact this sniffing activity because BPFDoor operates at such a low level that they're not applicable.

BPF on a socket (Deep Instinct)

 

"When BPFdoor finds a packet containing its "magic" bytes in the filtered traffic, it will treat it as a message from its operator and will parse out two fields and will again fork itself," explains Deep Instinct.

"The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as a Command & Control IP-Port combination and will attempt to contact it."

After establishing a connection with the C2, the malware sets up a reverse shell and waits for a command from the server.

Operational diagram
(Deep Instinct)

 

BPFDoor remains undetected by security software, so system admins may only rely on vigorous network traffic and logs monitoring, using state-of-the-art endpoint protection products, and monitor the file integrity on "/var/run/initd.lock."

Also, a May 2022 report by CrowdStrike highlighted that BPFDoor used a 2019 vulnerability to achieve persistence on targeted systems, so applying the available security updates is always a crucial strategy against all types of malware.

Source